Re: SSH and restricting to a chroot jail

From: Kasper Dupont (kasperd@daimi.au.dk)
Date: 03/25/02


From: Kasper Dupont <kasperd@daimi.au.dk>
Date: Mon, 25 Mar 2002 14:14:33 +0100

Philip McD wrote:
>
> > 3) Use a userid for that single purpose, and perahps
> > limit the network access for that user by special
> > firewall rules.
>
> THis is the bit I'm having difficulty with - do you mean I create a user
> called say ssh_jail that has permission to run chroot? I'm still not sure
> *how* I make the chroot happen every time someon ssh's - but I think the
> patch supplied by Nico does this.

No, I would suggest you write a program that will do the
following:

1) chroot to the desired directory.
2) chdir to the home directory within the chroot jail.
3) set all user and group id's to the desired user.
4) execute a shell or something else.

This program when compiled should be installed outside
the jail and be used as the users default shell. This
means that either the mentioned program should be suid
root, or the entry in /etc/passwd should have the UID
listed as 0. Of course only your own little program
should be run with UID 0 and changes it to something
else as soon as possible, this program obviously must
be reviewed very carefully.

-- 
Kasper Dupont -- der bruger for meget tid på usenet.
For sending spam use mailto:razor-report@daimi.au.dk



Relevant Pages

  • Re: Q: Impact of globbing vulnerability in ftpd
    ... so ftpd is already chrooted and running with the uid of the user at ... sufficient to allow the vulnerability to be exploited. ... compounded because the FTP server only runs with an effective UID of the ... there are processes outside of the chroot() running as the same user. ...
    (FreeBSD-Security)
  • Re: [fw-wiz] Best-of-breed Proxies (was Re: Proxy Firewalls ...)
    ... >> It used a chrooted sshd with private passwd/shadow files in the ... >> chroot jail. ... The login shell for the users in that private passwd ... >> config file to get a destination host, and execed an ssh client to ...
    (Firewall-Wizards)
  • Re: Restricted Shells or Menu Based Shells
    ... I am using the flash program for the users that do not require a shell. ... create a chroot area for them using the jail program. ... I am considering a virtual server scenario as a next tier. ... to the point where we break even on the hosting costs. ...
    (Focus-Linux)
  • Re: Chroot environment for ssh
    ... > would like to use SSH for the connections, as opposed to FTP, but I ... > users to be able to log into an interactive shell and I ... > want them to 'escape' out of their home directories. ... directives to chroot the groupand/or userthat are to have ...
    (FreeBSD-Security)
  • Re: help - I installed rpm4.0.6 and now nothing works!
    ... revert back to the previous version of RPM (because I have not yet ... Moe's post indicated that rpm4 for rh6.2 did exist. ... prevents you from starting a shell on the hosting computer, and and then chroot to the mounted disk within the same shell. ... chroot needs to start a shell inside the chroot environment. ...
    (comp.os.linux.misc)